TLS 1.2 handshake issue (Server Certificate request)

Dmitry Belyavsky beldmit at gmail.com
Fri Feb 7 20:25:49 UTC 2020


If you have the server's key and certificate, the command will be smth like

openssl s_server -key key -cert cert -CAfile
file_with_ca -verify_return_error

file_with_ca should contain a concatenation of the certs of the CAs that
should issue the client's certificate.

if you don't have the server keypair, try to understand smth from the
command

openssl s_client -connect host:port -cert clicert -key clikey.

At least you'll hopefully see the list of allowed client certificate
issuers.

Please read the manuals of s_client/s_server apps for more details.

On Fri, Feb 7, 2020 at 11:18 PM Bashin, Vladimir <vbashin at empirix.com>
wrote:

> Thanks Dmitry!
>
> Do I need the server certificate in order to run those commands?
>
> Also , could you please point me to the exact commands that I’d need to
> execute in order to reproduce the tls handshake ?
>
>
>
> Regards,
>
> VB
>
>
>
> *From:* Dmitry Belyavsky <beldmit at gmail.com>
> *Sent:* Friday, February 7, 2020 3:07 PM
> *To:* Bashin, Vladimir <vbashin at empirix.com>
> *Cc:* openssl-users at openssl.org
> *Subject:* Re: TLS 1.2 handshake issue (Server Certificate request)
>
>
>
> Hello Vladimir,
>
>
>
> It's worth trying to reproduce the situation using openssl
> s_client/s_server command-line apps.
>
>
>
> On Fri, Feb 7, 2020 at 9:25 PM Bashin, Vladimir <vbashin at empirix.com>
> wrote:
>
> Hello, OpenSSL experts !
>
>
>
> We need your help in better understanding a below behavior -
>
>
>
> We are experiencing issue during the initial TLS handshake :
>
> We have the customer-issued TLS certificate that we deploy on our TLS
> client system
>
> The certs  have been generated with a CSR that was generated on customer’s
>  FIPS compliant server
>
> The CSR was then signed by CA hosted on SMGR
>
>
>
> During the endpoint registration with the server we have an endpoint
> initiated TLS handshake – during that handshake the TLS server requests the
> client Certificate but our TLS client responds with the Certificates Length
> 0 that causes the TLS server to respond with the Handshake Failure.
>
>
>
>
>
> The Google search gives some generic ideas on why that might be happening
> – something along the following lines - that could be happening in case the
> client’s certificate does not match the server certificate – for example,
> due to a signing authority mismatch, or due to the encryption cipher type
> mismatch, or maybe due to some other factors.
>
>
>
> Could you please help us in better understanding this issue – what else
> could be wrong or missing in the Server and Client certificates ?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Thanks,
>
> Vladimir Bashin
>
>
>
>
>
>
> --
>
> SY, Dmitry Belyavsky
>


-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200207/dcbb620e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 65573 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200207/dcbb620e/attachment-0001.png>


More information about the openssl-users mailing list